creffett gave a talk over IRC about how public and private keys work.
<creffett> the general idea of public-key (aka asymmetric) crypto is that you don't need a side channel to distribute passwords <creffett> because let's say I want to share a file with jrouly here <creffett> and I want to encrypt it, it's very seekrit. unless we have agreed-upon passwords, I need to find a secure way to get him the password <creffett> and at that point, I might as well give him the file itself via that secure way <creffett> so public-key crypto gets around that by you having two keys: a public key and a private key <anupkalburgi> I have been following this pypi development from sometime and i have found it to be very informative <anupkalburgi> https://cryptography.io/en/latest/ <creffett> in the implementations we're concerned with (not true for all public-key setups, though), the public key can decrypt stuff encrypted by the private key, and vice-versa <creffett> the two are mathematically related, it involves large primes and factoring big numbers, and since we're not the math geeks society here I won't go into the nitty-gritty <creffett> so you make your public key...well, public <creffett> you might upload it to a keyserver, or send it via email, or whatever <creffett> anyone who wants to send a secure message to you can encrypt something with the public key and send it <creffett> but only the person with the private key (you) can decrypt that message <creffett> you can also sign a message, how that works is that you hash your message and encrypt the hash with your private key <creffett> the recipient decrypts it with your public key, verifies the hash, and they know both that you sent the message and that it hasn't been tampered with <creffett> (if you didn't send it, they couldn't decrypt with your public key, and if it were tampered with the hash would be wrong) <creffett> you'll probably use signing more often than encryption <creffett> now, for PGP/GPG <creffett> you can sign someone else's key <creffett> same concept as before, what happens is that your private key is used to encrypt someone else's key or a hash thereof <creffett> and that gets attached to the key <creffett> and then someone can verify that you've signed it using your public key <creffett> the point of this is what's called the "web of trust" <creffett> I need two volunteers from the audience <creffett> thank you for volunteering, jrouly and samertm <samertm> yesss <creffett> so let's say I need to send a message to samertm <creffett> and I want it encrypted <creffett> but I haven't verified that the key which claims to be his is actually his <creffett> but I trust jrouly, who is a shining paragon of paragonness <creffett> and he's signed samertm's key * jrouly shines, like a paragon of paragonness <creffett> based on that (or, if I prefer, based on several peoples' signatures) <creffett> I can say that samertm probably owns that key, and so feel safe about sendign things <creffett> this leads to one of the most important points I can make about signing <creffett> NEVER EVER EVER sign someone's key without verifying them in person <creffett> I know it's a little over-the-top paranoid <creffett> but there's no guarantee that the person sitting at their computer, or chatting, or whatever, is actually them <creffett> I personally tend to ask for photo ID, which is very over the top, but still <creffett> don't sign unless you're in person, or at least got the key number in person <creffett> that is all. <creffett> questions? <renfredxh> *applause* <jrouly> how does package security / key-signing for developers work? <samertm> creffett, very interesting, I didn't know that's how it works. <jrouly> eg. arch linux's pacman-key tool <jrouly> I'm sure ubuntu has something similar <creffett> jrouly: you generally sign the Manifest for the package <creffett> or the install scripts themselves, or the commits * Datsundere has quit (Ping timeout: 248 seconds) <jrouly> so it's kosher to sign a file like that, but not someone else's key? <creffett> (signing the manifest, which has the checksums of all of the files, verifies that nobody's slipping you a fake package) <creffett> jrouly: you personally, the commiter, sign it <creffett> and then the user can verify that signature, since distros usually have an official keyring of keys used to sign <creffett> (some distros use one master key) <jrouly> makes sense <samertm> creffett, thanks for the talk! <creffett> no problem <creffett> and remember kids, never bring alcohol to a keysigning party <samertm> anupkalburgi, interesting link <jrouly> always pregame keysigning parties instead. <jrouly> if you bring alcohol, creffett will just drink it <anupkalburgi> Ya right, most of the times i look at the drivers license before signing for someone <anupkalburgi> thanks for the talk creffett <samertm> at the VTLUUG keysigning party, you had to bring two forms of identification <renfredxh> so serious <creffett> we need to bring in more people from the strong set. <renfredxh> so how do you actually go about signing other people things? <creffett> I'm in the strong set thanks to lfaraone, but if I could ever make a linux conference with the keysigning party in English... <renfredxh> Like ok, I show you my ID, when what takes place <creffett> renfredxh: I pull up your key from a keyserver <creffett> you verify that that's your key <creffett> I push the "sign key" button on my GPG client of choice <creffett> type in my key's passwor <creffett> d <creffett> (oh, always put a strong pw on your key) <samertm> so they have to be indoors? <creffett> I mean, we're talking about CS people to start with... <anupkalburgi> We should plan having a key signing thing at mason... If you like it to call as party that is ok too <samertm> anupkalburgi, I was talking to patriot hackers about it <renfredxh> interesting <samertm> and they're interested <anupkalburgi> we should consider that... if people here are interested <creffett> do it <creffett> then bring in people in the strong set, get them to sign <creffett> suddenly strong set! <samertm> get luke to show up <creffett> I've got Luke's entry taken care of <creffett> but other people <creffett> more entries into the set -> stronger verification <creffett> frickin' LinuxTag having the keysigning party in German.. <samertm> linuxtag, you're it <samertm> 1 sec <creffett> no